Posted
by
kdawson
on Tuesday July 27, 2010 @08:43PM
from the brains-for-a-filling dept.

A privacy activist has filed a lawsuit targeting eight corporate users of Quantcast's "zombie" Flash cookies, in addition to Quantcast itself. The suit alleges that MTV, ESPN, MySpace, Hulu, ABC, Scribd, and others used Quancast's Flash-based cookies to recreate browser tracking cookies that users had taken the trouble to delete. "At issue is technology from Quantcast, also targeted in the lawsuit. Quantcast created Flash cookies that track users across the web, and used them to re-create traditional browser cookies that users deleted from their computers. These 'zombie' cookies came to light last year, after researchers at UC Berkeley documented deleted browser cookies returning to life. Quantcast quickly fixed the issue, calling it an unintended consequence of trying to measure web traffic accurately. ... The lawsuit (PDF)... asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws. The lawsuit alleges a 'pattern of covert online surveillance' and seeks status as a class action lawsuit."

On a serious note, I wonder if browsers with private browsing modes sandbox flash cookies? When you go back to normal browsing mode, will the flash cookies from tentaclerapecentral.com still be mixed in with your other flash cookies? Let's find out!

I'm going to clear my flash cookies, disable BetterPrivacy, then mess around in the Adobe Flash settings page in private browsing mode. This will cause my browser to pick up flash cookies.

Then I'll go back into normal browsing mode and look in my flash cookie fol

Flash Sharedobjects aren't the same as cookies. They are often used as save files for Flash games. Then we have badly behaving programs like CCleaner which aggressively try to delete them all until you notice that it's about to delete all your save files, and stop it before it wipes them away.

CCleaner behaves badly? I beg to differ. CCleaner cleans trash. It ASKS you if you want to clean trash, then it TELLS you about the trash it finds, then ASKS again if you want to delete the trash.

Those who are to stupid to follow directions and/or to examine the results before taking out the trash deserve what they get.

As for those flash game files - big deal if all of them are deleted. The wife plays online flash games. Her files have been deleted by one or another privacy software. She logs back in to the site, and all her "important" saved stuff is loaded back onto her computer. Geez - that's a real burden isnt' it?

After the first time, she learned how to delete those super cookies without deleting the files she wanted saved.

Terrible learning curve, that. It took her all of 30 seconds of cussing and bitching, plus another 90 seconds of reading, and then ten more seconds to change the settings.

Meanwhile, Better Privacy routinely deletes all the asshattery of flash cookies that she didn't specifically authorize on her machine, and everyone is happy. Except the asshats, of course.

As for the lawsuit - yes, Super Cookies are a hack, and should be subject to hacking laws that are meant to protect the average user. Burn Quantcast for developing and using it, and burn everyone who has bought the damned thing. I don't care WHAT business you are in - you have no right to track people unless they specifically opt-in to a tracking program, with full knowledge and understanding of what they are doing.

From TFA:The lawsuit (.pdf), filed in U.S. district court in San Francisco, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws.

Why hasn't anyone been led away in handcuffs? Are all the broken laws misdemeanors with a small fine, or what? Is it that no rich and powerful man goes to prison unless a richer and more powerful man wants him there? It sure seems so; Sony's XCP, the mine

"Are we back to feudalism?"
I think you misunderstood the term feudalism. That's the period where knights fought for their kingdoms and princess got stuck in towers. Not the period where offshore oil platform exploded killing eleven people. The more you know...

From TFA:The lawsuit (.pdf), filed in U.S. district court in San Francisco, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws.

Why hasn't anyone been led away in handcuffs? Are all the broken laws misdemeanors with a small fine, or what? Is it that no rich and powerful man goes to prison unless a richer and more powerful man wants him there? It sure seems so; Sony's XCP, the mine disaster several months ago where there had been repeated fines for the safety violations that ultimately led to two dozen deaths? Someone should have been charged with negligent manslaughter, and from what I've read, so should someone from BP.

+1 on BetterPrivacy. Install that as an add-on, and it works on Windows and OS X. No more worries about Flash shared objects because it can be set to zap them at very short time intervals, as well as when you open or close the browser.

Firefox + BetterPrivacy + AdBlock + NoScript probably do as much for keeping a Windows machine clear of malicious software as most AV programs.

I also use Cookie Monster for managing cookies. The only problem with NoScript is that it causes a lot of problems for people who aren't techies, like the date-picker not working, some submits not working, etc, since they don't know when to add a site to the white list. So I tend to install only AdBlock and BetterPrivacy for the non-techies.

Noscript users must temporarily allow adobe.com as well. (But at least you don't need to allow real cookies for either domain.)

You can set the flash plugin to not store any data, but it sure gets annoying on some sites when the volume controls don't work. You can also set it to ask, but it's even more annoying to try and hit the "cancel" button 15 times with choppy video behind it.

Yes. If you tighten up the privacy controls enough on Flash, many video sites won't play, and some play badly. YouTube's player, for example, will display the "Press ESC to exit full screen mode" for the duration of play. There's absolutely no reason why that feature should depend on storing persistent information. It would be interesting to subpoena the developer and the documentation during development to determine if that was willfully put in to discourage users from using strict privacy settings.

Good luck making a program that can export that format reliably from pretty much any given program in the way that pdfs can be. And when you're done, can you explain to the people I work with why it's better having an xhtml file and all the separate image files rather than one combined, portable file? Don't get wrong, I hate them too but there's a reason that they're so popular.

Better yet, use Apparmor or SELinux to stop it accessing anything it shouldn't access. When I created an Apparmor profile for Flash player I was amazed by all the places it tries to read from and write to.

If your theory holds, the French could sue the Germans under the DMCA for circumventing the Maginot line [wikipedia.org]. Here's a pro tip: there are some circumventions which have jack all to do with copyright law.

Except it isn't circumventing anything. If you are dumb enough to install Flash on your computer then you've given your permission. Uninstall Flash if you're so paranoid. Gawd knows Flash is a lot more of a danger to your computer experience than cookies are.

I agree with you though. This is a problem solved by a technological solution (BetterPrivacy, a shell script that runs and zaps the Flash directory, or something along those lines), than having it be litigated.

Litigation may even backfire, and a judge might rule that removing Flash cookies is considered circumventing DRM on Flash objects, and may make it even more difficult for utilities like BetterPrivacy or CCleaner to even exist.

This isn't far fetched. Anyone remember a few years back, a verdict against a P2P site where they were ordered to log every single change that happened even in RAM on a machine?

I can see a defendant arguing that the "DRM" for a flash game is the Flash shared objects, and if the judge isn't aware about issues, he or she might render a very punishing verdict which would take millions of dollars to appeal.

Oh, fuck that. This is worthy of some serious competition to Adobe in the form of Flash Player Replacement [wikipedia.org] options. SVG and Canvas are nice and all, but there must be alternate ways to view the same content similar to competing web browsers for viewing the same HTML.

Well, this sort of thing is the reason why so many content providers are reluctant to move to HTML5 and away from Flash. When they talk about the additional capabilities that Flash has, this is what they mean. The ability to track your usage and gather information about you. (and the back room deals Adobe cuts along the way to deliver this data) Yet people clamor for Flash on their mobile phones.

Say what you will about Apple, in this case they're absolutely right. Perhaps not for the right reasons, but

Web browsers also support cookies natively, and it is possible to use these with html5 without explicitly requiring Flash to 'track your usage and gather information about you', and many, many advertising and other such companies do so. Flash sharedobjects are just a piece of technology. They aren't any more evil or suspicious than normal cookies. All this company does is store a copy of your cookies in a flash cookie so if you delete the one, they can restore it from the other.

Flash cookies are handled perfectly. You may need to use ${LOGNAME} instead. I've added these lines to the beginning of my daily backup job. Simple. Effective.

Adobe AIR probably does something similar, so check for that crap in a similar manner, if you still have AIR installed. I removed it after 7 days of use. Take about crap. It is slower than Java and bloated even more than iTunes + Outlook + Java, IMHO.

Actually this is not a troll. Take a look in the C:\windows\help\tours\mmtour folder of a new windows XP 32-bit installation and you will find that the tour is SWF based.

Among other dlls pre-installed on the system is a flash 3 or flash 4, or some similar early version dll (I forget the version or exact file name, but a search for 'flash' or 'swf' in file names on a brand new XP install (you might need to run the tour first to have it appear) should probably find it. I don't believe the browser plug-in ever came pre-installed, but the core DLL most definitely did.